Update GitHub Actions and configurations

**Added:**
- Added CODEOWNERS file for automatic code review assignments.
- Introduced labeler configuration and labels for automatic labeling of PRs.
- Implemented Renovate Bot configuration for dependency management.
- Added CodeQL Analysis workflow for security scanning.
- Included workflows for meta-labeler and meta-sync-labels.

**Changed:**
- Updated GoReleaser workflow to use latest actions and Go version.
- Modified pre-commit workflow to include workflow dispatch and simplify steps.
- Updated Semgrep workflow to include schedule and improved container usage.
- Introduced Tests workflow for running tests and code coverage.
- Adjusted Renovate workflow for improved automation and configuration.

**Removed:**
- Removed ISSUE_TEMPLATE for bug-report and feature-request.
- Deleted dependabot configuration in favor of Renovate Bot.
- Removed outdated .gvm file.

**Fixed:**
- Fixed formatting and dependency issues in various workflows.

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+* @l50

.github/labeler.yaml

@@ -0,0 +1,26 @@
+---
+area/github:
+  - changed-files:
+      - any-glob-to-any-file: ".github/**/*"
+
+area/pre-commit:
+  - changed-files:
+      - any-glob-to-any-file: ".pre-commit-config.yaml"
+      - any-glob-to-any-file: ".hooks/**/*"
+
+area/cmd:
+  - changed-files:
+      - any-glob-to-any-file: "cmd/**/*.go"
+
+area/docs:
+  - changed-files:
+      - any-glob-to-any-file: "docs/*"
+
+area/magefiles:
+  - changed-files:
+      - any-glob-to-any-file: "magefiles/*"
+
+area/go:
+  - changed-files:
+      - any-glob-to-any-file: "go.mod"
+      - any-glob-to-any-file: "go.sum"

.github/labels.yaml

@@ -0,0 +1,60 @@
+---
+# Area
+- name: area/github
+  color: "72ccf3"
+  description: >-
+    Changes made to github actions
+- name: area/pre-commit
+  color: "BC9BE3"
+  description: >-
+    Changes made to pre-commit hooks
+- name: area/cmd
+  color: "7BD7E0"
+  description: >-
+    Changes made to cmd resources
+- name: area/docs
+  color: "7BD7D0"
+  description: >-
+    Changes made to docs resources
+- name: area/magefiles
+  color: "7A61D7"
+  description: >-
+    Changes made to Magefiles
+- name: area/go
+  color: "7BD7E0"
+  description: >-
+    Changes made to go.mod and go.sum
+
+# Renovate
+- name: renovate/container
+  color: "ffc300"
+- name: renovate/github-action
+  color: "ffc300"
+- name: renovate/github-release
+  color: "ffc300"
+
+# Semantic Type
+- name: type/digest
+  color: "FFEC19"
+- name: type/patch
+  color: "FFEC19"
+- name: type/minor
+  color: "FF9800"
+- name: type/major
+  color: "F6412D"
+- name: type/break
+  color: "F6412D"
+
+# Uncategorized
+- name: bug
+  color: "ee0701"
+- name: do-not-merge
+  color: "ee0701"
+- name: docs
+  color: "F4D1B7"
+- name: enhancement
+  color: "84b6eb"
+- name: question
+  description: >-
+    Clarification and/or additional information required to move forward
+  color: "cc317c"

.github/renovate-bot.json5

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "username": "rosey-bot[bot]",
+  "gitAuthor": "rosey-bot <98030736+rosey-bot[bot]@users.noreply.github.com>",
+  "repositories": ["fbsamples/caldera-security-tests"]
+}

.github/renovate.json5

@@ -0,0 +1,44 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:base",
+    "docker:enableMajor",
+    ":disableRateLimiting",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    ":enablePreCommit",
+    ":automergeDigest",
+    ":automergeBranch",
+    "helpers:pinGitHubActionDigests"
+  ],
+  dependencyDashboardTitle: "Renovate Dashboard 🤖",
+  suppressNotifications: ["prIgnoreNotification"],
+  rebaseWhen: "conflicted",
+  commitBodyTable: true,
+  "pre-commit": {
+    enabled: true
+  },
+  packageRules: [
+    {
+      matchManagers: ["gomod"],
+      matchPackagePatterns: ["*"],
+      enabled: true
+    },
+    {
+      description: "Auto merge GitHub Actions",
+      matchManagers: ["github-actions"],
+      automerge: true,
+      automergeType: "pr"
+    }
+  ],
+  customManagers: [
+    {
+      customType: "regex",
+      fileMatch: [".sh$"],
+      matchStrings: [
+        "go install (?<depName>[^@]+?)@(?<currentValue>[0-9.-a-zA-Z]+)"
+      ],
+      datasourceTemplate: "go"
+    }
+  ]
+}

.github/renovate/autoMerge.json5

@@ -0,0 +1,20 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "description": "Auto merge GitHub Actions",
+      "matchDatasources": ["gomod"],
+      "automerge": true,
+      "automergeType": "branch",
+      "matchUpdateTypes": ["digest"]
+    },
+    {
+      "description": "Auto-merge GitHub Actions for minor and patch",
+      "matchManagers": ["github-actions"],
+      "matchDatasources": ["github-tags"],
+      "automerge": true,
+      "automergeType": "branch",
+      "matchUpdateTypes": ["minor", "patch"]
+    },
+  ]
+}

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,39 @@
+---
+name: 🚨 CodeQL Analysis
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  codeql:
+    name: Evaluate code for vulnerabilities
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+
+    steps:
+      - name: Set up git repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3

.github/workflows/goreleaser.yaml

@@ -11,21 +11,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up git repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Fetch all tags
         run: git fetch --force --tags
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
-          go-version: "1.20"
+          go-version: "1.21.5"
+
+      # - name: Install changelog gh cli extension
+      #   run: gh extension install chelnak/gh-changelog
+      #   env:
+      #     GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Fix GOPATH
         run: export PATH=$PATH:$(go env GOPATH)/bin
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5
         with:
           distribution: goreleaser
           version: latest

.github/workflows/meta-labeler.yaml

@@ -0,0 +1,29 @@
+---
+name: "Labeler"
+
+on:
+  workflow_dispatch:
+  pull_request_target:
+    branches: ["main"]
+    types: ["opened", "synchronize"]
+
+jobs:
+  labeler:
+    name: Labeler
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@c4fa18d55c5d49e6a2793e351ea4938322c61072 # v1.6.4
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Labeler
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+        with:
+          configuration-path: .github/labeler.yaml
+          repo-token: "${{ steps.app-token.outputs.token }}"

.github/workflows/meta-sync-labels.yaml

@@ -0,0 +1,24 @@
+---
+name: "Meta Sync labels"
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+    paths: [".github/labels.yaml"]
+
+jobs:
+  labels:
+    name: Sync Labels
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up git repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ secrets.BOT_TOKEN }}"
+
+      - name: Sync Labels
+        uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # v2.3.2
+        with:
+          config-file: .github/labels.yaml
+          token: "${{ secrets.BOT_TOKEN }}"
+          delete-other-labels: true

.github/workflows/nancy.yaml

@@ -0,0 +1,27 @@
+---
+name: Nancy 3p Vulnerability Scan
+on:
+  push:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  nancy:
+    name: Run nancy to identify 3p go vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up git repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+        with:
+          go-version: "1.21.5"
+
+      - name: Write go.list
+        run: go list -json -deps ./... > go.list
+
+      - name: Run nancy to check for vulnerabilities
+        uses: sonatype-nexus-community/nancy-github-action@main